Email Subscription

In the past few weeks we’ve noticed a problematic pattern developing: the increasing use of exploit kits in malvertising. In particular, zero-day exploits (usually seen first in targeted attacks) are now being deployed in malicious ads right away, instead of first being used in targeted attacks against enterprises or other large organizations.

This is a worrying trend, as it means that more users could be affected by these threats before a patch becomes available. Two of the recent Adobe Flash zero-days (CVE-2015-0311 and CVE-2015-0313) were delivered to end users via malvertisements, putting large numbers of users at risk.

Some patterns in the attacks from 2014 are expected to continue into 2015, such as:

Increasing targeting of Flash vulnerabilities for exploitation. Previously, Java and Acrobat/Reader vulnerabilities were some of the most frequently targeted by exploit kits.

We saw fewer exploit kit “brands” in use in 2014. This was in contrast to previous years, where the number of exploit kit “brands” was growing. However, the kits that are currently being actively developed are becoming more sophisticated, with increasing use of evasion techniques.

Figure 1. Number of exploit kits in use

What can users and enterprises do to protect themselves against these threats? The most important defense against an exploit kit is to keep installed versions of software as up-to-date. While zero-days are seeing more usage in exploit kits, older vulnerabilities that have already been patched are still widely used. By keeping their software updated, end users can mitigate much of the risk associated with these risks.

Security products can also help mitigate the risks. Products with smart sandboxes can be used to help find and detect malicious behavior, including zero-day exploits. In addition, products that use web and file reputation detection can also block the redirection chain and detect payloads.

Almost every Patch Tuesday cycle contains one bulletin that (for convenience) rolls up multiple Internet Explorer vulnerabilities into a single bulletin. February’s Patch Tuesday cumulative IE bulletin (MS15-009) included a fix for a particularly interesting vulnerability that could be used to bypass one of the key anti-exploit technologies in use today, address space layout randomization (ASLR).

This vulnerability was designated CVE-2015-0071. To be used in an attack, this vulnerability must be combined with another one that is capable of actually running code on the affected machines. In attacks seen by iSIGHT, this has been paired with an Adobe Flash vulnerability (CVE-2014-9163), which was fixed in December.

This vulnerability was found in the jscript9.dll module. To analyze this vulnerability, I examined this file (version 9.0.8112.1645) on a Windows 7, 32-bit system.

Patch differences

Examining the patched and unpatched versions of this DLL, we found a modification im the SetProperty function.

Figure 1. Patched SetProperty function

Figure 2. Unpatched SetProperty function

In the patched version, the function Js::JavascriptRegExpConstructors::EnsureValues is called, and only then is the property’s value set. The unpatched version does not call this particular function at all.

The function EnsureValues can show us how to fully analyze this vulnerability. To do this, we need to explain some data structures dealing with regular expressions.

Ransomware has become one of the biggest problems for end users are as of late. In the past months alone, we have reported on several variants of both ransomware and crypto-ransomware, each with their own “unique” routines. We recently came across one malware family, detected as PE_VIRLOCK, as that not only locks the computer screen but also infects files—a first for ransomware.

Once inside the computer, VIRLOCK creates and modifies registry entries to avoid detection and ensure execution. It then locks the screen of the affected computer, disabling explorer.exe and preventing the use of taskmgr.exe. Meanwhile, it also checks the location of the affected system to display the appropriate image for the ransom message.

Information about the overall threat landscape can be gathered from many sources. One useful method is by looking at the overall activity of command-and-control (C&C) servers, as used in botnets, targeted attacks, and in attacks against the broader Internet user base.

We are able to combine various threat intelligence sources, including feedback from the Trend Micro™ Smart Protection Network™, to get a glimpse of C&C server activity. (these are displayed in real time on the Global Botnet Map). Our findings below reflect the information we gathered throughout all of 2014. We are able to examine the location of C&C servers, the location of endpoints, as well as the malware families that use these servers.

So what can we learn from these numbers, and can IT professionals help reduce this threat?

Malware using more ways to ensure server communication

We measured the most commonly used malware families, as measured by the number of command-and-control servers tied to these specific families. For all C&C server activity, these were the most commonly used families:

CRILOCK

RODECAP

ZEUS

FAKEAV

BLADABINDI

For targeted attacks, these were the most commonly seen families:

DARKCOMET

XTREME

NJRAT

GHOSTRAT

START

Some trends can be seen from these numbers:

Malware families that use domain generation algorithms (DGAs) like CRILOCK are well-represented in the lists, highlighting their popularity. Despite the differences in underlying behavior (crypto-ransomware versus information stealers), DGAs are popular as they make blocking of malicious domains more difficult with relatively little added expenditure of effort on the part of attackers.

Compromised sites are also popular C&C servers. ZeuS/ZBOT and RODECAP are both known to use compromised sites for their C&C servers, and both families are known to use this particular tactic extensively.

Similarly, free web hosting providers and dynamic IP redirection services are commonly used by some malware families such as NJRAT and DarkComet.

Many remote access tools (RATs) that were initially used in targeted attacks have now been used in various cybercrime-related attacks as well. This highlights the increased availability of these RATs, as well as the low entry barrier to registering and setting up C&C domains.

Taken together, these developments show how attackers are adopting more techniques to try and obfuscate the C&C servers under their control. This can make forensic analysis of these attacks much more difficult, making detection and attribution potentially problematic.

Stealing payment card data has become an everyday crime that yields quick monetary gains. Attackers aim to steal the data stored in the magnetic stripe of payment cards, optionally clone the cards, and run charges on the accounts associated with them. The topic of PoS RAM scraper malware always prompts businesses and retailers to ask two important questions: “How do I protect myself?” and “What new technologies are vendors introducing to protect businesses and consumers?”

This blog entry seeks to answer these questions by discussing a PoS Defense Model and new technologies that can protect businesses and consumers from PoS RAM attacks.

PoS Defense Model

Based on our analysis of the PoS RAM scraper attack chain and PCI-DSS and PA-DSS requirements, we have created a multi-tiered PoS Defense Model that businesses and retailers can implement to defend against PoS RAM scraper malware attacks.

Figure 1. Multi-tiered PoS Defense Model

The four layers of the PoS Defense Model are:

InfectionLayer – this is the first and most important line of defense against PoS RAM scrapers as it aims to prevent initial infection, or block the malware’s execution before it causes damage.

Lateral MovementLayer – if the infection layer fails to stop the malware, then the next layer of defense aims to identify suspicious or malicious behavior when the malware attempts to spread and blocks it.

C&C and Data ExfiltrationLayer – the stolen credit card data is only valuable after it has been exfiltrated from the victim machine. The final layer of defense aims to prevent the malware from communicating with the C&C servers and prevent exfiltration of stolen data.

We have identified 26 defensive technologies and strategies that businesses and retailers can implement in their environments to defend against PoS RAM scraper attacks. The following Venn diagram shows these defensive technologies and strategies placed within the PoS Defense Model.

Figure 2. Defensive technologies and strategies (click on the image to embiggen)

Next Generation Payment Technologies

The new reality is that any Internet-connected device that processes payment card data should be viewed as a data theft target. Buyer security rests on the shoulders of several key players – device manufacturers, service providers, businesses, banks, and even credit card brands. Strong IT defense goes a long way in preventing PoS system breaches but it is not a magic bullet. New secure payment technologies must also be deployed alongside strong IT defenses to protect against PoS RAM scrapers. Two technologies that are being widely deployed are:

EMV or Chip-and-PIN cards

Figure 3. Encrypted data stored in chip (outlined in red)

EuroPay, MasterCard, and Visa (EMV) is the global standard for Integrated Circuit Cards (ICC). EMV cards store encrypted Tracks 1 and 2 data on a chip in the card. This chip stores a cryptogram that allows banks to determine if cards or transactions have been modified. It also stores a counter that gets incremented with each transaction. Duplicate or skipped counter values indicate potential fraudulent activities. The EMV cards interact with PoS terminals that have ICC readers and use the EMV-defined protocol for transactions. Similar to debit cards, cardholders need to input a PIN for authentication before the transaction is processed.

Encryption plus Tokenization

PoS RAM scrapers will have nothing to steal if credit card Tracks 1 and 2 data are not present in the PoS system’s RAM. This is the underlying principle behind the new payment processing architectures being developed and deployed today. One implementation uses tokenization, a process that replaces a high-value credential such as a credit card with a surrogate value that is used in transactions in place of the high-value credential, and encryption.

Figure 4. Process flow for Encryption and Tokenization

The workflow is as follows:

Customer swipes their credit card at the merchant’s PoS terminal to complete the purchase.

The PoS terminal reads and encrypts the credit card data and transmits it to the Payment Service Provider (PSP) for processing.

The PSP forwards the credit card data to the banks (acquirers & issuers) for authorization.

The PSP uses a tokenization algorithm to replace the actual credit card data with a token.

The generated token and bank authorization status is send back to the merchant’s PoS system.

The merchant’s PoS system stores the token instead of the actual credit card data in all places.

The Future for PoS RAM Scraper Attacks

As PoS RAM scrapers become more prominent threats, big businesses will heavily invest in cybersecurity to prevent attacks against their PoS environments. Attackers will thus refocus on SMBs, as these may not necessarily have the cybersecurity budgets that enterprises have to prevent PoS system breaches. We expect to see more SMBs get compromised, which will collectively be a bigger breach than compromising a few enterprises.

Rollout of new security measures will significantly change the PoS playing field for attackers. As businesses upgrade to new secure payment systems, attackers will attempt to come up with new strategies against improved systems and environments.